CMMC Level 2 and NIST SP 800-171: Organizing Evidence for CUI

What Level 2 is about

CMMC Level 2 is the level most small defense contractors care about, because it applies to Controlled Unclassified Information (CUI). Its control baseline is NIST SP 800-171 Rev. 2, which contains 110 security requirements organized into 14 families. Level 2 also intersects with several DFARS clauses covering safeguarding, incident reporting, and DoD assessment scoring.

This article is generic and educational. It explains how a small team organizes evidence at this level — it does not reproduce the control text, interpret the requirements for you, or determine whether you satisfy them. Read the requirements at the source and decide what applies to your environment.

The 14 families

NIST SP 800-171 groups its requirements into 14 families. Knowing the family names is useful purely as an organizing structure for your evidence:

Access Control · Awareness and Training · Audit and Accountability · Configuration Management · Identification and Authentication · Incident Response · Maintenance · Media Protection · Personnel Security · Physical Protection · Risk Assessment · Security Assessment · System and Communications Protection · System and Information Integrity.

A simple way to stay organized is to keep an evidence matrix with one section per family, recording which artifacts you hold and where they live.

The capability areas it touches

Compared with Level 1, Level 2 adds depth: central identity and privileged access management, endpoint detection and response, vulnerability scanning, central logging, configuration baselines and encryption, CUI-specific data protection, controlled file sharing, network segmentation, formal incident response, and a documented program (SSP and POA&M). As always, the program does not require a specific vendor — it requires the capability and the evidence.

The two documents people forget

Two artifacts are central at Level 2 and are often left until last:

• System Security Plan (SSP) — a description of your environment and how you address each family. It is something you write about your own systems; a blank SSP starter outline gives you the structure without putting words in your mouth.
• Plan of Action and Milestones (POA&M) — your own list of items you have decided to work on, with owners and target dates.

Neither document determines your compliance. They organize what you have done and what you plan to do.

Assessment and SPRS context

Several DFARS clauses sit around Level 2 — the requirement to safeguard covered defense information and report incidents (252.204-7012), and the requirement to have a current NIST SP 800-171 DoD assessment score and post it in SPRS (252.204-7019 and 252.204-7020). These are contractual requirements you read and apply yourself; organizing your evidence simply makes it easier to support whatever assessment you are subject to.

Where to read the requirements

• NIST SP 800-171 Rev. 2 — the control baseline: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
• NIST SP 800-171A — assessment procedures and evidence planning: https://csrc.nist.gov/pubs/sp/800/171/a/final
• DFARS 252.204-7012 — safeguarding CDI and incident reporting: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012

A fuller list is in our regulatory sources guide.

Organizing it

The volume of evidence at Level 2 is what makes structure worth it. The DIBStack Evidence Binder provides a standardized set of folders, the evidence matrix, the SSP outline, the POA&M tracker, and the supporting templates — a self-service kit you run entirely on your side. It helps you organize evidence; it does not determine whether your organization is compliant.